The Cable Guy - August 2002

IPSec NAT Traversal Overview

Historically, one of the issues with deploying Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec) is that IPSec peers cannot be located behind a Network Address Translator (NAT). Internet service providers and small office/home office (SOHO) networks commonly use NATs to share a single public IP address. Although NATs help conserve the remaining IP address space, they also introduce problems for end-to-end protocols such as IPSec.

A new technology known as IPSec NAT Traversal (NAT-T) is in the process of being standardized by the IPSec Working Group of the Internet Engineering Task Force (IETF). IPSec NAT-T is described in the Internet drafts titled "UDP Encapsulation of IPSec Packets" and "Negotiation of NAT-Traversal in the IKE". IPSec NAT-T defines both changes in the negotiation process and different methods of sending IPSec-protected data.

If both of these conditions are true, the peers automatically use IPSec NAT-T to send IPSec-protected traffic across a NAT. If either peer does not support IPSec NAT-T, then normal IPSec negotiations (beyond the first two messages) and IPSec protection is performed. If both peers support IPSec NAT-T and there are no NATs between them, normal IPSec protection is performed.

This article examines the problems associated with using IPSec across NATs, how these problems are solved by IPSec NAT-T (based on version 2 of the IPSec NAT-T Internet drafts), and the resulting changes in the Internet Key Exchange (IKE) negotiation for Quick Mode and Main Mode negotiations.

Note IPSec NAT-T is only defined for ESP traffic.

Problems Associated with using IPSec over NATs

The problems associated with using IPSec over NATs are the following:

NATs cannot update upper-layer checksums.

TCP and UDP headers contain a checksum that incorporates the values of the source and destination IP addresses and port numbers. When a NAT changes the IP address and/or port number of a packet, it normally updates the TCP or UDP checksum. When the TCP or UDP checksum is encrypted with ESP, it cannot be updated. Because the addresses or ports have been changed by the NAT, the checksum verification fails at the destination. Although UDP checksums are optional, TCP checksums are required.

NATs cannot multiplex IPSec data streams.

ESP-protected IPSec traffic does not contain a visible TCP or UDP header. The ESP header is between the IP header and the encrypted TCP or UDP header and uses the IP protocol of 50. Because of this, the TCP or UDP port numbers cannot be used to multiplex traffic to different private network hosts. The ESP header contains a field named the Security Parameters Index (SPI). The SPI is used, in conjunction with the destination IP address in the plaintext IP header and the IPSec security protocol (ESP or AH), to identify an IPSec security association (SA).

For inbound traffic to the NAT, the destination IP address must be mapped to a private IP address. For multiple IPSec peers on the private side of a NAT, the destination IP address of inbound traffic for multiple IPSec ESP data streams is the same address. To distinguish one IPSec ESP data stream from another, the destination IP address and SPI must either be tracked or mapped to a private destination IP address and SPI.

Because the SPI is a 32-bit number, the chance of using the same SPI value between multiple private network clients is low. The problem is that it is difficult to determine which outbound SPI value corresponds to which inbound SPI value.

NATs cannot map the SPI, because the ESP trailer contains a hashed message authentication code (HMAC) that verifies the integrity of the ESP protocol data unit (PDU) (consisting of the ESP header, the ESP payload, and the ESP trailer), the SPI cannot be changed without invalidating the HMAC value.

IKE UDP port number cannot be changed.

Some implementations of IPSec use UDP port 500 as both the source and destination UDP port number. However, for an IPSec peer located behind a NAT, the NAT changes the source address of the initial IKE Main Mode packet. Depending on the implementation, IKE traffic from a port other than 500 might be discarded.

NAT timeout of IKE UDP port mapping can cause problems.

UDP mappings in NATs are often deleted very quickly. The initiator's IKE traffic creates a UDP port mapping in the NAT that is used for the duration of the initial Main Mode and Quick Mode IKE negotiations. However, if the responder later sends IKE messages to the initiator and the UDP port mapping is not present, it is discarded by the NAT. This can cause IPSec SAs to time out and be removed by the responder.

Identification IKE payload contains embedded IP addresses.

For the Main Mode and Quick Mode negotiations, each IPSec peer sends an Identification IKE payload that includes an embedded IP address for the sending peer. Because the source address of the sending node has been changed by a NAT, the embedded address does not match the IP address of the IKE packet. An IPSec peer that validates the IP address of the Identification IKE payload will discard the packet and abandon the IKE negotiation.

Overview of NAT-T Changes to IPSec

The following are the changes to IPSec for NAT-T:

UDP encapsulation for ESP

A UDP header is placed between the outer IP header and the ESP header, encapsulating the ESP PDU. The same ports that are used for IKE are used for UDP-encapsulated ESP traffic.

A modified IKE header format

The IPSec NAT-T IKE header contains a new Non-ESP Marker field that allows a recipient to distinguish between a UDP-encapsulated ESP PDU and an IKE message. IPSec NAT-T-capable peers begin to use the new IKE header after they have determined that there is an intermediate NAT.

A new NAT-Keepalive packet

A UDP message that uses the same ports as IKE traffic, contains a single byte (0xFF), and is used to refresh the UDP port mapping in a NAT for IKE and UDP-encapsulated ESP traffic to a private network host.

A new Vendor ID IKE payload

This new payload contains a well-known hash value, which indicates that the peer is capable of performing IPSec NAT-T.

A new NAT-Discovery (NAT-D) IKE payload

This new payload contains a hash value that incorporates an address and port number. An IPSec peer includes two NAT-Discovery payloads during Main Mode negotiationone for the destination address and port and one for the source address and port. The recipient uses the NAT-Discovery payloads to discover whether a NAT translated addresses or port numbers, and, based on which addresses and ports were changed, which peers are located behind NATs.

These two new encapsulation modes are specified during Quick Mode negotiation to inform the IPSec peer that UDP encapsulation for ESP PDUs should be used.

A new NAT-Original Address (NAT-OA) IKE payload

This new payload contains the original (untranslated) address of the IPSec peer. For UDP-encapsulated ESP transport mode, each peer sends the NAT-OA IKE payload during Quick Mode negotiation. The recipient stores this address in the parameters for the SA.

IPSec NAT-T Solutions to the Problems of Using IPSec over NATs

IPSec NAT-T solves the problems of using IPSec across a NAT in the following ways:

Problem: NATs cannot update upper-layer checksums.

Solution: By sending the original address in the NAT-OA IKE payload, a recipient has all of the information it needs to verify the upper-layer checksum (source and destination IP addresses and ports) after it is decrypted.

Problem: NATs cannot multiplex IPSec data streams.

Solution: By encapsulating the ESP PDU with a UDP header, the NAT can use the UDP ports to multiplex the IPSec data streams. Tracking the SPI in the ESP header is no longer necessary.

Problem: IKE UDP port number cannot be changed.

Solution: IPSec NAT-T peers can accept IKE messages from a source port other than 500. Additionally, to prevent an IKE-aware NAT from modifying IKE packets, IPSec NAT-T peers change the IKE UDP port of 500 to the UDP port 4500 during Main Mode negotiation. To allow IKE traffic using this new UDP port, you might have to configure your firewalls to permit UDP port 4500.

Problem: Identification IKE payload contains embedded IP addresses.

Solution: By sending the original address in the NAT-OA IKE payload, a recipient has the original address with which to verify the contents of the Identification IKE payload during Quick Mode negotiation. Because the NAT-OA IKE payload is not sent until Quick Mode negotiation occurs, IPSec implementations that validate the IP address in the Identification IKE payload that is sent during Main Mode must either not perform this validation or validate the peer by using another mechanism, such as name verification.

Problem: NAT timeout of IKE UDP port mapping can cause problems.

Solution: By sending periodic NAT Keepalive packets, the UDP port mapping for both continued IKE negotiations and UDP-encapsulated ESP PDUs is refreshed in the NAT.

Example IKE Negotiation for Main Mode and Quick Mode SAs using IPSec NAT-T

The addition of the new NAT-D and NAT-OA payloads and UDP tunnel types modifies Main Mode and Quick Mode IKE negotiations. For example, the following table shows the use of the Vendor-ID and NAT-D IKE payloads during Quick Mode negotiation for a Windows-based IPSec peer using Kerberos authentication. The additional IKE payload and message changes for IPSec NAT-T are bolded.

If both nodes are IPSec NAT-T-capable and there is at least one NAT between them, they use IPSec NAT-T options in the Quick Mode negotiation. Assuming that there is at least one NAT between these two peers, the resulting Quick Mode negotiation is shown in the following table.